Nathan Ziehnert

8 minute read

After taking over a year long hiatus on this series (can I even call it a series if there was only one post?), I got a gentle reminder that I should finish what I started (thanks for the reminder @markraldridge). So when we last talked about this we had a brief top-level overview of how AGPM functions and a promise that the next post would cover installation of AGPM and creating/deploying your first controlled policy. First off - I attempted to make all of that into one post but it got excessively long, so this post will focus on installation and configuration of the AGPM components and the next post will talk about creating/deploying your first controlled policy (I promise it won’t be a year between this post and the next one). With that said I guess it’s time for me to take some advice from Shia…

just do it

What You’ll Need

  • A Windows device to act as the AGPM Server: this can be a workstation OS - I won’t tell anyone. (If you have multiple forests you’ll need an AGPM server for each - this post will only cover the basic single server scenario for a single forest, but you can read the planning guide available here if you need planning information for multiple forests)
  • A service account: We’ll use this account to become the master owner of the group policies as well as the archive owner on the AGPM server (more about that later)
  • User groups for permission delegation: While you can manage this manually, it’s a better idea to just create groups now
  • The AGPM installation media from MDOP: You need AGPM 4.0 SP3 if you are going to be installing it on Server 2016 or Windows 10 - other OSes are also supported with this version, but it is the minimum for W10/S16 (it also supports as far back as 2008 or Vista although there are limitations covered here).
  • SMTP Server or relay through Exchange [Optional]: AGPM uses SMTP to send notice to certain delegations (such as approvals requests)
  • Local firewall settings access: AGPM will by default utilize TCP Port 4600 for communication - you can configure this for another port, but you will still need to open it for incoming connections.

Service Account Creation

Arguably the “hardest” part of this installation if you choose to do it from a least privilege perspective. If you don’t care about privileges you can just put the account in “Domain Admins” (which gives you the added benefit of having a domain admin account to do what you want with… I kid, I kid… please attempt the least privilege route - I’m not sure why Microsoft even considers that a “good” practice). For the purposes of this article we’ll call the account LAB16\SA.AGPM (LAB16 is my 2016 lab… obviously your domain will be different). The account:
  1. Needs to be a member of the “Group Policy Creator Owners” group in each domain that AGPM will manage
  2. Needs to be a member of the “Backup Operators” group in each domain that AGPM will manage
  3. Needs to be a member of the “Administrators” group on the AGPM Server
    • If you want true “least privilege” it really only needs:
      • Full Control permission on the AGPM archive folder (automatically created at install time)
      • Full Control permission on the %windir%\temp folder (or whatever the local system temp folder is configured to)
      • Full Control permission on any existing GPOs that AGPM will manage
  4. Needs to be given full control over existing GPOs (see this post - yeah, you skip ahead a bit… if you’re following along you can wait until you reach that post…)

User Group Creation

The following roles can be configured within AGPM:
  • AGPM Administrator: Full control of AGPM including delegating permissions.
  • Approver: Deploys GPOs to production, create/delete GPOs, approve/reject changes by editors, and view settings in GPOs. They CANNOT edit controlled GPOs.
  • Editor: View settings in GPOs, can request that GPOs be created, deployed, or deleted (they may not do this themselves), and edit settings in GPOs.
  • Reviewer: can view the list of GPOs in a domain, and create/view reports of the policy settings in a GPO (the other roles can also do all of this).
You can separate these out to different groups if you want to - it all depends on how you want to separate concerns in GPO management in your organization. Maybe your help desk can review but not edit or approve and maybe QA gets final approval rights. If you’re like us, we really use it as more of a change control system than anything else, so everyone responsible for Group Policy gets administrator access. For this guide, I’m going to create four separate groups:
  • SG.GPO.Admins
  • SG.GPO.Approvers
  • SG.GPO.Editors
  • SG.GPO.Reviewers

Installing AGPM Server Components

Okay, now that we’ve got our accounts squared away let’s get to installing! Logon to your AGPM server and load up your MDOP media. We’re looking for the “agpm_403_server_amd64.exe” media (assuming you are running the 64-Bit version of whatever OS you’re installing the AGPM server to). Double-click this installer and then follow the prompts until you reach the “Archive Path” page. Now here you have a decision to make - you can store it in the default location, or if you want to put it somewhere else, that’s perfectly fine - just note that the “folder will be secured to only allow access by the AGPM Service Account”.

Now on the AGPM Service Account page, enter the account name and credentials for your AGPM Service Account

Now on the “Archive Owner” page, enter the SG.GPO.Admins group that we created earlier. If you decided not to create a group - you just need to select a user or group who will initially be the AGPM Administrator(s).

On the “Port Configuration” page, you can select a different port, but for our purposes we’ll keep the default TCP port of 4600. On the “Languages” page, you only need select the languages that you will be managing GPOs in - although leaving them all selected doesn’t really make a big difference either. Finally click “Install”. Once the installation is complete, we’ll install the AGPM Client so that we can manage policies.

Installing AGPM Client Components

From whatever machine you want to manage policies from we’re going to first install the Group Policy Management Console. If you’re on a Server OS this is done via “Add Roles and Features” - on a workstation OS this is done from “Programs and Features” > “Turn Windows features on or off” but first requires the appropriate Remote Server Administration Tools patch to be installed. We’re going to install the “Group Policy Management Tools” under “Remote Server Administration Tools” > “Feature Administration Tools”. Once the Group Policy Management Console has been installed, we can proceed with the AGPM Client installation.

Run the “agpm_403_client_amd64.exe” to install the AGPM client - leave all the defaults until you reach the page asking for your AGPM server and port. On that screen enter the FQDN of the AGPM Server and the port (if different from 4600) - you’ll also need to allow MMC through the firewall. On the languages page, select the languages you wish to install and then press “Next”. Finally press “Install” to install the client.

Configuring AGPM and Configuring Delegation

Okay - now we’re making some progress. Open up the Group Policy Management Console - if you’re already familiar with this console you should see a new folder in your domain called “Change Control” - this is AGPM.

Go ahead and click it, and it should establish a connection to the AGPM Server. Make sure you do it with an account belonging to the group we set earlier - otherwise you’ll get this fun error message:


If you did everything correctly, you should end up on a screen similar to this:

Now click on the “Domain Delegation” tab and we’ll get our permissions setup based on the groups we created earlier. You’ll notice that the group we added during installation already has the “Full Control” role added. Just work down your group or user list, press “Add…” and then select the correct role - mine ended up looking a little like this:

Up top you can configure your SMTP settings - I’m using a nifty little utility called PaperCut that simulates a local SMTP server for testing purposes so I’m not putting anything in the User name or Password fields. The “To” email address is only a single field, so you can’t separate out your notifications to different groups, but in theory this is only going to the Approvers and Admins anyways.

Alright - now we’re finished configuring the settings for this domain - you will need to do this for each domain that belongs to the forest.


You’ve got a fully configured AGPM server now! In the next post we’ll walk through two separate workflows for creating and managing controlled policies - one where you have full administrative rights, and the other when you want to walk through the approval flow with different access levels. Until next time, happy admining!

comments powered by Disqus